Gateway Certificate Renewal

In this tutorial, you will learn how-to renew a suSSHi Gateway certificate.

Warning

suSSHi Gateway certificates are valid for a perid of 5 years. When a gateway certificate expires, establishing a SIC connection to suSSHi Chef is no longer possible, which effectively means that the gateway stops working for new connections.

Requirements

To be able to renew the certificates, you need access to the suSSHi Chef and Gateway containers.

Note

Before you start, please make sure that you have created a database backup. You should also check that there are no pending changes or apply them beforehand.

First of all, you must determine the name of the gateway whose certificate has expired or will expire shortly.

../../_images/certificate_renewal_old.png

In this article, we use susshi as the name of the gateway. We also refer to the suSSHi Chef container as susshi-chef and use susshi as the name for the suSSHi Gateway container as well.

Next, enter the suSSHi Chef container …

docker-compose exec susshi-chef bash

… and run the certificate renewal task.

rails chef:renew_gateway_certificates gateway=<GATEWAY_NAME>
root@susshi-dev-011:/home/susshi/docker# docker-compose exec susshi-chef bash
root@susshi-chef:/opt/wasabi/susshi-chef# rails chef:renew_gateway_certificates gateway=susshi
Renew gateway certificates
==========================
Gateway: susshi (0001)
Current certificate details:
* Internal: 2019-12-13 10:14:51 UTC - 2024-12-16 10:14:51 UTC - 45:8C:5B:34:18:CB:6C:2D:03:CA:BC:18:5A:A6:E0:F4:49:B0:92:13
* Rsyslog : 2019-12-13 10:14:51 UTC - 2024-12-16 10:14:51 UTC - 35:C2:95:4B:BF:A5:26:85:94:A6:9D:FF:BE:79:BC:51:F5:55:EA:6D
Renewed certificate details:
* Internal: 2024-12-18 11:12:35 UTC - 2029-12-18 11:12:35 UTC - 2C:33:87:E1:3D:1E:77:A5:40:67:D3:2F:32:EA:F0:B4:F3:8D:F5:07
* Rsyslog : 2024-12-18 11:12:36 UTC - 2029-12-18 11:12:36 UTC - 6D:62:8F:2C:C8:B2:EC:1B:CD:97:B0:1E:05:A9:BE:D0:42:3D:A9:DA
Please stop the gateway and run the following command:
docker-compose run --rm <container> -s 57fbebd7c98e672f32746f8d01030ad3

If this was successful, you should see the details for the (now) expired/invalid and the renewed certificate. Afterwards, you must register the gateway again to download the renewed certificate.

docker-compose run --rm <GATEWAY_NAME> -s <GATEWAY_PSK>
root@susshi-dev-011:/home/susshi/docker# docker-compose run --rm susshi -s 57fbebd7c98e672f32746f8d01030ad3
Creating docker_susshi_run ... done
info  : [00001] (system)  suSSHi2 - susshid version 24.12.0 (Release build) started.
info  : [00001] (system)  Initializing Secure Internal Communication (SIC). Gathering gateway information ...
warn  : [00001] (system)  Overwriting existing file /opt/wasabi/susshi/config/ca.pem
warn  : [00001] (system)  Overwriting existing file /opt/wasabi/susshi/config/cert-0001.p12
info  : [00001] (system)  SIC initialization completed successfully. You are now ready to run susshid in normal daemon operation.

After re-registering the suSSHi Gateway, you can spin up the gateway container again.

docker-compose up -d susshi

Finally, wait a few moments and verify that the gateway can connect to suSSHi Chef using the renewed certificate.

docker-compose logs susshi
root@susshi-dev-011:/home/susshi/docker# docker-compose up -d susshi
root@susshi-dev-011:/home/susshi/docker# docker-compose logs susshi
Attaching to susshi
susshi                   | info  : [00001] (system)  suSSHi2 - susshid version 24.12.0 (Release build) started.
susshi                   | info  : [00001] (system)  Waiting for 15 seconds before trying to connect to chef.
susshi                   | info  : [00001] (system)  Gateway Chef #1 returned with 200 - OK
susshi                   | info  : [00001] (system)  Forked reporting daemon with pid 8
susshi                   | info  : [00001] (system)  Forked monitor daemon with pid 9
susshi                   | info  : [00001] (system)  Forked rsyslog daemon with pid 10
susshi                   | info  : [00001] (system)  Listening for new connections on 0.0.0.0 port 22
susshi                   | info  : [00001] (system)  Listening for new connections on :: port 22
susshi                   | info  : [00009] (system)  HTTP health monitor-server ready for query on http://<hostname>:80
../../_images/certificate_renewal_new.png